Summary

Currently coder.ddev.com only supports GitHub OAuth for login. This issue tracks adding alternative authentication options to reduce friction for users who prefer not to authorize a third-party service with their main GitHub account, and to broaden access for non-GitHub users.

Current GitHub OAuth Behavior

Coder requests three read-only GitHub OAuth scopes:

• read:user — public profile data
• user:email — email addresses (including private ones)
• read:org — organization membership

What this means in practice:

• coder.ddev.com cannot read private repositories, push code, create issues, or perform any write action
• The OAuth token is stored in Coder's database and does not expire unless revoked
• Users can revoke at any time: GitHub Settings → Applications → Authorized OAuth Apps

The risk profile for using a personal GitHub account is low, but some users will reasonably prefer not to grant any third-party access to their GitHub account.

Alternative Auth Options Coder Supports

Coder has built-in support for several alternatives. References:

• Coder auth docs: https://coder.com/docs/admin/users/github-auth
• Coder OIDC docs: https://coder.com/docs/admin/users/oidc-auth
• GitHub OAuth Apps vs GitHub Apps: https://docs.github.com/en/apps/using-github-apps/authorizing-github-apps#about-github-apps-acting-on-your-behalf
• GitHub OAuth App scopes: https://docs.github.com/en/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps

1. Username/Password (Built-in)

Already available in Coder by default. No configuration needed — just enable it in the UI or leave it enabled. Users create a local account without any external OAuth dependency.

Consideration: Requires password management; no SSO; good for users who want complete separation from external accounts.

2. OIDC with Google / Microsoft / Okta

Coder supports any OIDC-compliant provider. OIDC is more privacy-preserving than OAuth because the identity provider handles authentication and returns only a signed identity assertion (email + username) — Coder never receives a token that can query GitHub's API.

Examples:

• Google (accounts.google.com) — widely available, no GitHub dependency
• Microsoft Entra ID — common in enterprise contexts
• Okta — enterprise SSO

3. GitLab OAuth / OIDC

Relevant for Drupal contributors who already use drupalcode.org (which runs GitLab). Would allow login with an existing Drupal community identity.

• GitLab OIDC: https://docs.gitlab.com/ee/integration/openid_connect_provider.html
• GitLab OAuth: https://docs.gitlab.com/ee/api/oauth2.html

4. Self-Hosted OIDC (Keycloak / Authentik)

Maximum control option: run an identity provider that federates against GitHub, GitLab, LDAP, etc., but presents only OIDC claims to Coder. DDEV controls exactly what identity information is shared.

• Keycloak: https://www.keycloak.org/
• Authentik: https://goauthentik.io/

Suggested Actions

• Enable username/password login (if not already enabled) as an immediate no-config option
• Evaluate GitLab OIDC for Drupal community users
• Consider a self-hosted OIDC provider for maximum control long-term
• Document the GitHub OAuth scopes and revocation instructions for users

References

• Coder user auth overview: https://coder.com/docs/admin/users/
• GitHub OAuth App authorization: https://docs.github.com/en/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps
• GitHub Apps acting on your behalf: https://docs.github.com/en/apps/using-github-apps/authorizing-github-apps#about-github-apps-acting-on-your-behalf
• Reviewing/revoking authorized apps: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/reviewing-your-authorized-integrations